The Windows Incident Response Blog is dedicated to the myriad information surrounding and inherent to the topics of IR and digital analysis of Windows systems. This blog provides information in support of my books; "Windows Forensic Analysis" (1st thru 4th editions), "Windows Registry Forensics",
as well as the book I co-authored with Cory Altheide, "Digital Forensics with Open Source Tools".

Friday, December 24, 2004

Why do we have to make things so hard?

This blog entry should probably be subtitled, "What happened to the KISS principle??"

Not too long ago, I picked up this entry on the Viruslist.com site, and wanted to find out more about this change in adware/malware. I checked out the comments that followed the post, and got a lead...the "viral adware" is also known as Holax. Googling, I found this at the CA site, but beyond that, I haven't found a great deal of (useful) information as of yet.

First off, what's the issue? It seems that the adware (causes ads to appear in IE), CoolWebSearch (CWS) has been modified to be more difficult to detect and/or remove. Evidently, the initial infection occurs via the MHTML URL Processing Vulnerability, which seems to be specific to Outlook. Once on the system, it drops a DLL into the %SYSTEM% directory; according to CA...though I'm not sure which directory this is supposed to refer to...on my XP Home system, that variable doesn't seem to exist. CA says it's the "system32" directory.

Next, the malware (at this point, it's malware, as CWS is still being installed) searches for executables loaded automatically by the Run and RunServices keys, as well as in the StartUp folders (current user and All Users), and modifies the import tables (DLLs loaded when the program is run) to include a reference to it's DLL.

From the CA description: "The trojan attempts to modify each executable it finds. As most of these programs are constantly running, they can't be modified directly. Instead, the trojan makes a copy of each executable in the temporary directory, and modifies the copy. It then tells Windows to replace each original file with the modified copy the next time the operating system is restarted."

Okay, so...what do you do? I'd say that the first step is prevention...which means patching your system. Since the explanation from MS says that this issue is specific to Outlook, then perhaps not running Outlook would be another step to consider.

Now, how about detection? According to CA, the installed adware is capable of updating itself from a site called crdrcr.com. Also, the DLL installed in the system32 directory has a random name, starting with the letters "MS". So, searching the system32 directory for all DLLs that start with those letters (i.e., "c:\>dir [winnt|windows]\system32\ms*.dll") and is not a legit DLL would be a way of quickly determining if you've been infected.

So how do you determine if the DLL is legit? Well, MS used to have a tool available called "showbinarymfr.exe" that would've been very useful for this, but since it seems to have been removed from the MS site, you'll have to use some other means of locating it. I've written Perl scripts that use the Win32::File::Ver module (can also use Win32::Exe) to retrieve file version information from executable (.exe, .dll, .sys, etc) files. What you'd be looking for is any of the DLLs resulting from the above 'dir' command that do not contain file version information specific to Microsoft, or any other legitimate software manufacturer (i.e., Adobe, etc.).

If you know what DLL you're looking for specifically, listdlls would be helpful.

Finally, CA wasn't too clear about how the malware "tells Windows to replace each original file". However, I have seen other adware/malware that uses the wininit.ini file to perform file replacements upon system restart. So you might also check for (or the contents of) this file, as well.

Just another fun bit of malware, eh?

I guess my real issue with this isn't so much that the malware's out there, but that the anti-virus industry seems to be spread rather thin when it comes to providing information about what malware does when it infects a system. There doesn't seem to be a real standard when it comes to malware write-ups, even within the same company, and in many cases, you can't seem to put together a complete, consolidated picture of what the malware does even by going to multiple sites. Hopefully, my upcoming article on malware analysis (my courseware will be more detailed, and will include hands-on exercises) will shed some light on this...

Thanks, and I hope everyone has a very Merry Christmas, and a Happy New Year!